Currently I have a lighttpd server with flup and webpy. If you make enough requests fast enough (say clicking a link repeatedly many times or doing an apache bench) Lighttpd throws a 500 internal server error. At this point it is pretty easy to exploit (I can break it with several clicks of a link).
Lighttpd code:
fastcgi.server = (
"/sm" => (
( "host" => "127.0.0.1",
"port" => 7000,
"check-local" => "disable",
)
)
)
And the error in my lighttpd error logs:
2012-11-09 16:17:32: (mod_fastcgi.c.3005) got proc: pid: 0 socket: tcp:127.0.0.1:7000 load: 15
2012-11-09 16:17:32: (mod_fastcgi.c.2494) unexpected end-of-file (perhaps the fastcgi process died): pid: 0 socket: tcp:127.0.0.1:7000
2012-11-09 16:17:32: (mod_fastcgi.c.3325) response not received, request sent: 1252 on socket: tcp:127.0.0.1:7000 for /sm , closing connection
2012-11-09 16:17:32: (mod_fastcgi.c.1515) released proc: pid: 0 socket: tcp:127.0.0.1:7000 load: 14
This makes me feel like lighttpd is breaking because flup didn't respond. Now, I can simply throw more threads at the problem and it goes away (or at least makes it harder to exploit). flup server code:
#!/usr/bin/python
from apps.main import app as main_app
# run as fastcgi
from flup.server.fcgi import WSGIServer
params = {
'multiplexed': False,
'bindAddress': ('127.0.0.1', 7000),
'maxThreads': 9, <---- If I move this up to 20 no more problems
}
server = WSGIServer(main_app.wsgifunc(), **params)
server.run()
Another reason I think this is a flup problem is because I can bypass the flup server and just do a proxy that sends requests directly to webpy and I don't have the problem. Now, I would rather not just up the threads if there is a more elegant solution out there. Does anyone know what could be causing flup to break? Or are my conclusions thus far misplaced?